Petya 'ransomware' ruse for something more sinister, say researchers

George Nott |
July 3, 2017

Destruction not money motivation for attacks which spread to Australia this week.

While an earlier version of Petya from last year modified the disk in a way where it can actually revert its changes, “2017 Petya does permanent and irreversible damages to the disk”, wrote Comae’s Matt Suiche in a blogpost yesterday.

“Petya clearly got rewritten to be a wiper and not an actual ransomware,” he said.

While ransomware encrypts files to be decrypted once a ransom is paid, wipers work differently.

“The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money,” Suiche wrote. “Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the Master Boot Record like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.”

The ransomware ruse was simply a way for those behind the attack to “control the media narrative” according to Comae, “to attract the attention on some mysterious hacker group rather than a national state attacker”.

Tracing the individuals behind any cyberattack is difficult, as is proving the backing of a nation state. Nevertheless, if destruction in Ukraine was the primary motivation, it has been well-timed. Today is the country’s Constitution Day, a public holiday to mark the country’s independence from Soviet Russia.

The damage suffered in Australia could just be the collateral damage of a battle on the other side of the world.

Affected businesses were yesterday urged to visit the Australian Cyber Security Centre (ACSC) website or call 1300 292371 (1300 CYBER1) for more information.